Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

[Jakob Bohm]

On 14/12/2016 08:30, 杨俊 wrote:

Hi openssl-er,

I'm newbie in the openssl.
Recently, I ported the openssl to my embedded linux device and ran the 
openssl command.

But there was an error occured.
I had done google search a lot, but I didn't find the answer.
My issue is strange, my test steps like below:
1. copy the openssl, libs, cacert.pem to the embedded linux platform.


Does cacert.pem contain the CA certificate that issued the certificate for
https://curl.haxx.se ?

In general, the argument to -CAfile should be the concatenation of the PEM
format CA root certificates that your embedded platform wants to trust as
issuing trustworthy certificates for servers you will connect to.

Alternatively, the argument to -CApath should point to a directory
(traditionally named "/etc/ssl/certs") containing:

  One PEM file with each such trusted CA certificate
  The symlinks generated by the c_rehash script (these map simple checksums
of the certificate names to the file names containing CA certificates
with names with those checksums, this reduces memory consumption but
increases disk read operations).

If your embedded file system does not support symlinks, you can instead
rename the PEM files to the names of the symlinks that c_rehash generates
on a more full-blown development computer.


2. run the command:
/tmp #:./openssl s_client -connect curl.haxx.se:443 
 -CAfile /tmp/cacert.pem


3. the error log is
--log 
CONNECTED(0003)
depth=0 CN = anja.haxx.se 
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se 
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=anja.haxx.se 
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
--

4. my openssl version -d and version is
/tmp # ./openssl version
OpenSSL 1.1.0c  10 Nov 2016
/tmp # ./openssl version -d
OPENSSLDIR: "/home/georgeyang/workspace/speech_code/openssl/openssl/final"

5. In my PC, I found this command worked well. It could return the ok 
value.

Although the openssl version is 1.0.1f.
So I think my cacert.pem is right.

6. I also used other command like:
/tmp # ./openssl s_client -connect curl.haxx.se:443 
 -CApath /tmp/cacert.pem
/tmp # ./openssl s_client -CApath 
/home/georgeyang/workspace/speech_code/openssl/openssl/final/ -connect 
curl.haxx.se:443 
/tmp # ./openssl s_client -connect curl.haxx.se:443 
 -servername curl.haxx.se 
 -key /etc/ssl/private/ssl-cert-snakeoil.key 
-CAfile /etc/ssl/certs/cacert.pem

But they are all NG.

In google, they all said -CAfile or -CApath could help, But it doesn't 
work for me. >"<

Please help





Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

[杨俊]

Hi openssl-er,

I'm newbie in the openssl.
Recently, I ported the openssl to my embedded linux device and ran the
openssl command.
But there was an error occured.
I had done google search a lot, but I didn't find the answer.
My issue is strange, my test steps like below:
1. copy the openssl, libs, cacert.pem to the embedded linux platform.

2. run the command:
/tmp #:./openssl s_client -connect curl.haxx.se:443 -CAfile /tmp/cacert.pem

3. the error log is
--log 
CONNECTED(0003)
depth=0 CN = anja.haxx.se
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=anja.haxx.se
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
--

4. my openssl version -d and version is
/tmp # ./openssl version
OpenSSL 1.1.0c  10 Nov 2016
/tmp # ./openssl version -d
OPENSSLDIR: "/home/georgeyang/workspace/speech_code/openssl/openssl/final"

5. In my PC, I found this command worked well. It could return the ok value.
Although the openssl version is 1.0.1f.
So I think my cacert.pem is right.

6. I also used other command like:
/tmp # ./openssl s_client -connect curl.haxx.se:443 -CApath /tmp/cacert.pem
/tmp # ./openssl s_client -CApath
/home/georgeyang/workspace/speech_code/openssl/openssl/final/ -connect
curl.haxx.se:443
/tmp # ./openssl s_client -connect curl.haxx.se:443 -servername curl.haxx.se
-key /etc/ssl/private/ssl-cert-snakeoil.key -CAfile
/etc/ssl/certs/cacert.pem
But they are all NG.

In google, they all said -CAfile or -CApath could help, But it doesn't work
for me. >"<
Please help

Thx
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Signing an XML file

[Anibal F. Martinez Cortina]

2016-12-13 22:54 GMT-03:00 Salz, Rich :

> > Is there some equivalent to PHP's openssl_sign_pkcs7 function for C/C++
> users?
>
> Look at the apps/pkcs7.c file as a starting point.  Get the command line
> doing what you want, and then work through the code to pull out only the
> bits you need.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>

Got it, after some more reading, I've managed to pull:
A Valid X509 structure with the PEM file.
A Valid EVP_PKEY structure with the KEY file.
Created a BIO with BIO_new(BIO_s_mem()) and used BIO_read_filename with it.

Now I get to the part where I need to call PKCS7_sign() right?
If so, I'm missing something, because:
PKCS7_sign(cert,key,NULL,fileBIO,NULL) produces NULL as a result.

Any hints?
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Signing an XML file

[Salz, Rich]

> Is there some equivalent to PHP's openssl_sign_pkcs7 function for C/C++ users?

Look at the apps/pkcs7.c file as a starting point.  Get the command line doing 
what you want, and then work through the code to pull out only the bits you 
need.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Signing an XML file

[Anibal F. Martinez Cortina]

Hello everyone, I'm trying to sign an XML file, need to do so with pkcs#7.
Is there some equivalent to PHP's openssl_sign_pkcs7 function for C/C++
users?
In particular, I'm using Qt as framework, but have also got OpenSSL libs
and headers installed.
The target platform is Microsoft Windows (x32)

Kind regards,
Anibal.-
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] AECDH problem: works in 1.0.2, fails in 1.1

[Matt Caswell]

On 13/12/16 21:09, Norm Green wrote:
> I have a simple C program that works in 1.0.2 but fails with the same
> code in 1.1.
> Here's the psuedo code for the client and server:
> 
> Server:
>   const SSL_METHOD *meth = TLSv1_2_server_method();
>   SSL_CTX *ctx = SSL_CTX_new(meth);
>   SSL_CTX_set_ecdh_auto(ctx, 1);
>   SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
>   SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
>   SSL_CTX_set_cipher_list(ctx, "AECDH");
>   SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
>   SSL *ssl = SSL_new(ctx);
>   SSL_accept(ssl);
> 
> 
> Client:
>   const SSL_METHOD *meth = TLSv1_2_client_method();
>   SSL_CTX *ctx = SSL_CTX_new(meth);
>   SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
>   SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
>   SSL_CTX_set_cipher_list(ctx, "AECDH");
>   SSL *ssl = SSL_new(ctx);
>   SSL_connect(ssl);
> 
> 
> In 1.1, the client gets this error from SSL_connect()
> 
> SSL_connect returned SSL_ERROR_SSL
> Details: error:141640B5:SSL routines:tls_construct_client_hello:no
> ciphers available
> ssl/statem/statem_clnt.c at 815
> 
> 
> What do I need to do to make AECDH work in 1.1 ?

AECDH is in security level 0 but the default security level is 1. Read
about security levels here:

https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html

You need to set the security level to 0 either through a call to
SSL_CTX_set_security_level() or similar; or via the cipherstring using
"AECDH:@SECLEVEL=0". See:

https://www.openssl.org/docs/manmaster/man1/ciphers.html

Matt



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] AECDH problem: works in 1.0.2, fails in 1.1

[Norm Green]

I have a simple C program that works in 1.0.2 but fails with the same 
code in 1.1.

Here's the psuedo code for the client and server:

Server:
  const SSL_METHOD *meth = TLSv1_2_server_method();
  SSL_CTX *ctx = SSL_CTX_new(meth);
  SSL_CTX_set_ecdh_auto(ctx, 1);
  SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
  SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
  SSL_CTX_set_cipher_list(ctx, "AECDH");
  SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
  SSL *ssl = SSL_new(ctx);
  SSL_accept(ssl);


Client:
  const SSL_METHOD *meth = TLSv1_2_client_method();
  SSL_CTX *ctx = SSL_CTX_new(meth);
  SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
  SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
  SSL_CTX_set_cipher_list(ctx, "AECDH");
  SSL *ssl = SSL_new(ctx);
  SSL_connect(ssl);


In 1.1, the client gets this error from SSL_connect()

SSL_connect returned SSL_ERROR_SSL
Details: error:141640B5:SSL routines:tls_construct_client_hello:no 
ciphers available

ssl/statem/statem_clnt.c at 815


What do I need to do to make AECDH work in 1.1 ?

Norm Green

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users